Solved: IKEv2-ERROR:: Auth exchange failed

dgawaya1 · ‎06-19-2024

Dear experts,
I'm having some issue; configurations match both ends but still getting Auth exchange failing

////// Logs

Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing ENCR payload
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing VID payload VID
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing IDr payload IDr
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing AUTH payload AUTH
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing SA payload SA
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing TSi payload TSi
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing TSr payload TSr
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing NOTIFY payload NOTIFY(SET_WINDOW_SIZE)
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing NOTIFY payload NOTIFY(ESP_TFC_NO_SUPPO RT)
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing NOTIFY payload NOTIFY(NON_FIRST_FRAGS)

Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):Process auth response notify
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):Searching policy based on peer's identity '10. 75.2.1' of type 'IPv4 address'
Jun 19 10:37:01.592: IKEv2-ERROR:(SESSION ID = 18530,SA ID = 2):: Failed to locate an item in the databa se
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Verification of peer's authentication data FAI LED
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Auth exchange failed
Jun 19 10:37:01.592: IKEv2-ERROR:(SESSION ID = 18530,SA ID = 2):: Auth exchange failed
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Abort exchange
Jun 19 10:37:01.593: IKEv2:(SESSION ID = 18530,SA ID = 2):Deleting SA
Jun 19 10:37:09.596: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

Jun 19 10:37:09.596: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 10.75.2.1:500/To 10.75.2.2:5 00/VRF i0:f3]
Initiator SPI : A2B39E3F76D6DF73 - Responder SPI : 4E5D9F502C38BD7D Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 19 10:37:09.596: IKEv2-ERROR:: A supplied parameter is incorrect
//////////////
////// R1 Configs ////

crypto ikev2 keyring ikev4_key
peer mypeer
address 0.0.0.0 0.0.0.0
pre-shared-key cisco321
!
crypto ikev2 profile ikev4_prof
match identity remote address 10.75.2.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev4_key

crypto isakmp policy 11
encryption aes 256
hash sha512
authentication pre-share
group 20
lifetime 3600
crypto isakmp key cisco321 address 10.75.2.1

crypto ipsec transform-set tfs4 esp-gcm 256
esn
mode tunnel
crypto ipsec profile ipsec4_prof
set transform-set tfs4
set ikev2-profile ikev4_prof
////// R2 ///configs

crypto ikev2 keyring ikev4_key
peer mypeer
address 0.0.0.0 0.0.0.0
pre-shared-key cisco321
!
crypto ikev2 profile ikev4_prof
match identity remote address 10.75.2.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev4_key

crypto isakmp policy 11
encryption aes 256
hash sha512
authentication pre-share
group 20
lifetime 3600
crypto isakmp key cisco321 address 10.75.2.2

crypto ipsec transform-set tfs4 esp-gcm 256
esn
mode tunnel
crypto ipsec profile ipsec4_prof
set transform-set tfs4
set ikev2-profile ikev4_prof

MHM Cisco World · ‎06-19-2024

Sorry to see that your issue not solve completely
two points
1- first you config isakmp policy but the IKEv2 use different policy it config with

crypto ikev2 proposal <prop> <<- setting below must match in both Peers
integrity <>
encrypt <>
group <>

crypto ikev2 policy <poli>
proposal <prop>

2- some ISR IOS XE router not support esp-gcm 256, so try other SA

MHM

View solution in original post

MHM Cisco World · ‎06-19-2024

That perfect and tunnel is UP from output.

MHM

View solution in original post

Rob Ingram · ‎06-19-2024

@dgawaya1 authentication is failing, is the peer sending the IP address (10.75.2.1) as defined? Please provide the rest of the configuration, including physical and tunnel interfaces etc.

Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):Searching policy based on peer's identity '10. 75.2.1' of type 'IPv4 address'
Jun 19 10:37:01.592: IKEv2-ERROR:(SESSION ID = 18530,SA ID = 2):: Failed to locate an item in the databa se
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Verification of peer's authentication data FAI LED

dgawaya1 · ‎06-19-2024

@Rob Ingram

///R1

SYD1PAXVR002#sh run int tun 11
Building configuration...

Current configuration : 332 bytes
!
interface Tunnel11
description Vivienne Court GRE/IPsec tunnel
vrf forwarding VRF-TUNNEL2
ip address 10.3.3.2 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/2
tunnel mode ipsec ipv4
tunnel destination 10.75.2.1
tunnel vrf VRF-TUNNEL2
tunnel protection ipsec profile ipsec4_prof
end

SYD1PAXVR002#sh run int gi0/0/2
Building configuration...

Current configuration : 122 bytes
!
interface GigabitEthernet0/0/2
vrf forwarding VRF-TUNNEL2
ip address 10.75.2.2 255.255.255.240
negotiation auto
end

///R2

interface Tunnel11
description Vivienne Court GRE/IPsec tunnel
ip address 10.3.3.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/2
tunnel mode ipsec ipv4
tunnel destination 10.75.2.2
tunnel protection ipsec profile ipsec4_prof
end

SYD2PAXVR002#sh run int gi0/0/2
Building configuration...

Current configuration : 94 bytes
!
interface GigabitEthernet0/0/2
ip address 10.75.2.1 255.255.255.240
negotiation auto
end

Rob Ingram · ‎06-19-2024

@dgawaya1 you are using VRF on R1, so you need to ensure you match VRF under the IKEV2 profile.

crypto ikev2 profile ikev4_prof 
 match fvrf VRF-TUNNEL2

You also need to ensure that under the IKEv2 policy you also define the VRF, if you haven't already.

Here is an example of using VRF under FlexVPN - https://integratingit.wordpress.com/2019/04/22/flexvpn-vrf/

dgawaya1 · ‎06-19-2024

my tunnel interface went down when I configured "

match fvrf VRF-TUNNEL2"

MHM Cisco World · ‎06-19-2024

Sorry to see that your issue not solve completely
two points
1- first you config isakmp policy but the IKEv2 use different policy it config with

crypto ikev2 proposal <prop> <<- setting below must match in both Peers
integrity <>
encrypt <>
group <>

crypto ikev2 policy <poli>
proposal <prop>

2- some ISR IOS XE router not support esp-gcm 256, so try other SA

MHM

dgawaya1 · ‎06-19-2024

Ive moved away from esp-gcm. no luck yet

MHM Cisco World · ‎06-19-2024

If the tunnel source in one or both peers use vrf ypu need below

crypto ikev2 proposal <prop> <<- setting below must match in both Peers
integrity <>
encrypt <>
group <>

crypto ikev2 policy <poli>
proposal <prop>

Match fvrf <>

Also you need under

Crypto ikev2 profile <>

Match fvrf <>

And under tunnel ypu need

Tunnel vrf <>

dgawaya1 · ‎06-19-2024

Before I go any further, show crypto isakmp has no results. But show crypto ipsec sa. Also, looks like the auth failed message is not there anymore in the logs. The tunnel is up! Could this indicate a success?

///////////////R1 (hub) /////////////////////////////////////////

SYD1PAXVR002#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

SYD1PAXVR002#show crypto ipsec profile ipsec4_prof
IPSEC profile ipsec4_prof
IKEv2 Profile: ikev4_prof
Security association lifetime: 4608000 kilobytes/3600 seconds
Dualstack (Y/N): N

Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
tfs4: { esp-256-aes esp-sha384-hmac } ,
}

SYD1PAXVR002#show crypto ipsec sa

interface: Tunnel11
Crypto map tag: Tunnel11-head-0, local addr 10.75.2.2

protected vrf: VRF-TUNNEL2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.75.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.75.2.2, remote crypto endpt.: 10.75.2.1
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/2
current outbound spi: 0xA682ACA0(2793581728)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x30A77BC2(816282562)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 2326, flow_id: ESG:326, sibling_flags FFFFFFFF80004048, crypto map: Tunnel11-head-0, initiator : True
sa timing: remaining key lifetime (k/sec): (4608000/1738)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA682ACA0(2793581728)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 2325, flow_id: ESG:325, sibling_flags FFFFFFFF80004048, crypto map: Tunnel11-head-0, initiator : True
sa timing: remaining key lifetime (k/sec): (4608000/1738)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
SYD1PAXVR002#

///latest logs ////

Jun 19 22:11:11.088: IKEv2:(SESSION ID = 18530,SA ID = 2):Sending Packet [To 10.75.2.1:500/From 10.75.2.2:500/VRF i3:f3]
Initiator SPI : C0578C28121285F3 - Responder SPI : 21508F9228CACA2D Message id: 27
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

Jun 19 22:11:11.088: IKEv2:(SESSION ID = 18530,SA ID = 2):Check for existing IPSEC SA

Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):Received Packet [From 10.75.2.1:500/To 10.75.2.2:500/VRF i0:f3]
Initiator SPI : C0578C28121285F3 - Responder SPI : 21508F9228CACA2D Message id: 27
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing ENCR payload
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing DELETE payload DELETE

Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):Processing ACK to informational exchange
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):Check for existing IPSEC SA
Jun 19 22:33:21.935: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: g] [Source: 10.2.64.25] [localport: 22] at 08:33:21 AEST Thu Jun 20 2024
SYD1PAXVR002#

MHM Cisco World · ‎06-19-2024

It ikev2 so you need to use below

Show crypto ikev2 sa

Show crypto session

And from what I see' Yes the ipsec ikev2 is success UP.

MHM

dgawaya1 · ‎06-19-2024

SYD1PAXVR002#Show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
2 10.75.2.2/500 10.75.2.1/500 VRF-TUNNEL2/VRF-TU READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/55584 sec
CE id: 21797, Session-id: 26121
Local spi: C0578C28121285F3 Remote spi: 21508F9228CACA2D

IPv6 Crypto IKEv2 SA

SYD1PAXVR002#
SYD1PAXVR002#
SYD1PAXVR002# Show crypto session
Crypto session current status

Interface: Tunnel11
Profile: ikev4_prof
Session status: UP-ACTIVE
Peer: 10.75.2.1 port 500
Session ID: 18530
IKEv2 SA: local 10.75.2.2/500 remote 10.75.2.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

MHM Cisco World · ‎06-19-2024

That perfect and tunnel is UP from output.

MHM